Re: [Standards] Deprecating IBR
On 15.11.2015 17:18, Peter Waher wrote: > Hello Florian > > XEP-0158 is not a good idea for Three reasons: First, CAPTCHA is no > longer deemed a secure protection against bots (see Google's reCAPTCHA). > Secondly, it doesn't solve the problem of IoT, with things not operated > by humans. Thirdly, you don't want clients to have to implement support > for other protocols, such as HTTP, to fetch images (or audio/video), > which will make the solution impractical (or even impossible) on devices > with limited Resources. Not if the goal is to prevent mass registration of non-human users. Some captcha like mechanisms still hold strong against automated registrations. Your IoT case is different. You have non-human XMPP clients. The question now is: How to distinguish "bad" clients from "good" ones trying to register. If I where to design an approach how those clients register an account with an XMPP server, then I would simply make the client require a secret token for registration. And this can already be done with XEP-0077. Or what is your idea how it should work? - Florian signature.asc Description: OpenPGP digital signature
Re: [Standards] Deprecating IBR
Hello Florian XEP-0158 is not a good idea for Three reasons: First, CAPTCHA is no longer deemed a secure protection against bots (see Google's reCAPTCHA). Secondly, it doesn't solve the problem of IoT, with things not operated by humans. Thirdly, you don't want clients to have to implement support for other protocols, such as HTTP, to fetch images (or audio/video), which will make the solution impractical (or even impossible) on devices with limited Resources. Best regards, Peter Waher > Deprecating IBR is masking the SPAM problem but not solving it. I also > think that there is much need for an XMPP based registration mechanism. > > Why not improve and the missing pieces to IBR XEP instead of deprecating > it? It appears what IBR lacks is resistance against automated non-human > mass registrations. So why not make XEP-0158 ? 4. mandatory? > > - Florian
Re: [Standards] Deprecating IBR
On 04.11.2015 10:44, Kevin Smith wrote: > So, something for next Council to ponder: > > In light of spam attacks using throw-away accounts, and given than 77 is > final and we’re not going to be able to mandate a significant overhaul, is it > time to deprecate (and obsolete) 77 and send a clear message that this should > not be being used on open networks? Deprecating IBR is masking the SPAM problem but not solving it. I also think that there is much need for an XMPP based registration mechanism. Why not improve and the missing pieces to IBR XEP instead of deprecating it? It appears what IBR lacks is resistance against automated non-human mass registrations. So why not make XEP-0158 § 4. mandatory? - Florian signature.asc Description: OpenPGP digital signature